S0516: SoreFang
Analyst context for executives and security teams
SoreFang matters because MITRE describes it as a Windows first-stage downloader used to exfiltrate data and load additional malware. For leaders, the key risk is not just the downloader itself, but what it enables: follow-on tooling, discovery of accounts/systems/files, command-and-control over web protocols, and potential data loss. It should be treated as an early intrusion signal that requires fast scoping rather than a standalone malware cleanup event.
Executive priority
Prioritize readiness around early-stage intrusion response: confirm whether SOC teams can recognize suspicious downloader behavior, web-based command-and-control, scheduled task persistence, discovery activity, and tool transfer on Windows systems. Because ATT&CK relates SoreFang to APT29 use, organizations with sensitive government, research, policy, or strategic data should ensure incident response playbooks support rapid containment, identity review, and evidence preservation without assuming attribution from a single malware finding.
Technical view
ATT&CK provides no official detection text for SoreFang, so defenders should validate coverage through the related behaviors: scheduled task creation or modification, process/system/network/file/account/domain discovery, obfuscated or decoded content, ingress tool transfer, web protocol command-and-control, and possible public-facing application exploitation in the intrusion chain. On Windows, triage should correlate host process activity, task scheduler artifacts, file creation, network connections, and identity/domain enumeration rather than relying on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line logging
- Windows Task Scheduler events and task file/registry artifacts
- File creation, modification, and quarantine/AV events for downloaded or decoded payloads
- Network proxy, DNS, firewall, and TLS metadata for web protocol communications
- Authentication, directory, and domain controller logs showing local/domain account and group enumeration
Detection direction
- Build detections around behavior clusters: downloader execution followed by discovery, scheduled task activity, outbound web traffic, and additional file retrieval.
- Tune for legitimate administrative activity, because account, group, process, system, storage, and directory discovery can overlap with normal IT operations.
- Correlate web protocol C2 indicators with endpoint context; HTTP/S traffic alone is too common to be decisive.
- Validate whether scheduled task monitoring captures creation, modification, execution, parent process, and user context.
- Because official ATT&CK detection guidance is not provided, use local baselining and incident evidence to define high-confidence patterns.
Mitigation priorities
- Reduce exposure of public-facing applications through vulnerability and configuration management where that access path is relevant.
- Harden Windows persistence surfaces by monitoring and restricting unauthorized scheduled task creation.
- Limit unnecessary local and domain account visibility through least privilege and administrative role hygiene.
- Ensure endpoint controls can inspect or preserve obfuscated, downloaded, and decoded files for investigation.
- Prepare IR procedures for first-stage downloader findings: isolate affected hosts, preserve telemetry, review identity activity, and hunt for follow-on malware or exfiltration evidence.
Analyst notes and limits
The most useful defensive framing is to treat SoreFang as a first-stage capability associated with a broader intrusion workflow. The relationship set emphasizes discovery, persistence, command-and-control, tool transfer, obfuscation/deobfuscation, and exploitation context. Attribution should be handled carefully: ATT&CK states APT29 uses SoreFang, but local confirmation requires additional evidence beyond the malware name.
The official object has no ATT&CK tactics listed and no official detection section. The object platform is Windows, while several related techniques list broader platforms; conclusions about SoreFang platform coverage should remain limited to Windows unless other evidence is available. External references are provided, but no indicators, hashes, command examples, or guaranteed detections are supplied in the STIX fields here.
SoreFang
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | SoreFang can download additional payloads from C2.CitationCISA SoreFang July 2016CitationNCSC APT29 July 2020 |
| Enterprise | T1087.002 | Domain Account Sub-technique | SoreFang can enumerate domain accounts via |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1083 | File and Directory Discovery | SoreFang has the ability to list directories.CitationCISA SoreFang July 2016 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SoreFang can use HTTP in C2 communications.CitationCISA SoreFang July 2016CitationNCSC APT29 July 2020 |
| Enterprise | T1190 | Exploit Public-Facing Application | SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.CitationCISA SoreFang July 2016 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | SoreFang can gain persistence through use of scheduled tasks.CitationCISA SoreFang July 2016 |
| Enterprise | T1082 | System Information Discovery | SoreFang can collect the hostname, operating system configuration, and product ID on victim machines by executing Systeminfo.CitationCISA SoreFang July 2016 |
| Enterprise | T1087.001 | Local Account Sub-technique | SoreFang can collect usernames from the local system via |
| Enterprise | T1069.002 | Domain Groups Sub-technique | SoreFang can enumerate domain groups by executing |
| Enterprise | T1016 | System Network Configuration Discovery | SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via |
| Enterprise | T1680 | Local Storage Discovery | SoreFang can collect disk space information on victim machines by executing Systeminfo.CitationCISA SoreFang July 2016 |
| Enterprise | T1027 | Obfuscated Files or Information | SoreFang has the ability to encode and RC6 encrypt data sent to C2.CitationCISA SoreFang July 2016 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SoreFang can decode and decrypt exfiltrated data sent to C2.CitationCISA SoreFang July 2016 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 471ee3c54f0a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NCSC APT29 July 2020
National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
Open source URL -
[2]
CISA SoreFang July 2016
CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
Open source URL -
[3]
mitre-attack S0516Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.